webui

Sabo/webui

Fork 0

Commit Graph

Author	SHA1	Message	Date
Nathan Esquenazi	4a3b9571f1	fix(ci): pin all GitHub Actions to full commit SHAs for supply chain security Pinned all 7 third-party actions from mutable version tags to immutable commit SHAs. Mutable tags (e.g. @v4) can be force-pushed by the action author (or a compromised account) to inject malicious code into the workflow, which runs with write access to the repo and GHCR registry. Also moved 'permissions' from workflow level to job level (best practice: scope permissions as narrowly as possible). Pin mapping: actions/checkout@v4 -> @11bd71901bbe... (v4.2.2) softprops/action-gh-release@v2 -> @c062e08bd532... (v2.2.1) docker/setup-qemu-action@v3 -> @49b3bc8e6bdd... (v3.2.0) docker/setup-buildx-action@v3 -> @c47758b77c97... (v3.7.1) docker/login-action@v3 -> @9780b0c442fb... (v3.3.0) docker/metadata-action@v5 -> @369eb591f429... (v5.6.1) docker/build-push-action@v6 -> @ca877d9245fe... (v6.10.0)	2026-04-03 21:02:08 +00:00
Nathan Esquenazi	6a61f36280	ci: add GitHub Actions workflow for multi-arch Docker + releases On tag push (v*): - Creates a GitHub Release with auto-generated release notes - Builds multi-arch Docker image (linux/amd64, linux/arm64) - Pushes to ghcr.io/nesquena/hermes-webui with semver tags - Uses GitHub Actions cache for faster builds Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-03 13:55:41 -07:00

Author

SHA1

Message

Date

Nathan Esquenazi

4a3b9571f1

fix(ci): pin all GitHub Actions to full commit SHAs for supply chain security

Pinned all 7 third-party actions from mutable version tags to immutable
commit SHAs. Mutable tags (e.g. @v4) can be force-pushed by the action
author (or a compromised account) to inject malicious code into the workflow,
which runs with write access to the repo and GHCR registry.

Also moved 'permissions' from workflow level to job level (best practice:
scope permissions as narrowly as possible).

Pin mapping:
  actions/checkout@v4               -> @11bd71901bbe...  (v4.2.2)
  softprops/action-gh-release@v2    -> @c062e08bd532...  (v2.2.1)
  docker/setup-qemu-action@v3       -> @49b3bc8e6bdd...  (v3.2.0)
  docker/setup-buildx-action@v3     -> @c47758b77c97...  (v3.7.1)
  docker/login-action@v3            -> @9780b0c442fb...  (v3.3.0)
  docker/metadata-action@v5         -> @369eb591f429...  (v5.6.1)
  docker/build-push-action@v6       -> @ca877d9245fe...  (v6.10.0)

2026-04-03 21:02:08 +00:00

Nathan Esquenazi

6a61f36280

ci: add GitHub Actions workflow for multi-arch Docker + releases

On tag push (v*):
- Creates a GitHub Release with auto-generated release notes
- Builds multi-arch Docker image (linux/amd64, linux/arm64)
- Pushes to ghcr.io/nesquena/hermes-webui with semver tags
- Uses GitHub Actions cache for faster builds

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-03 13:55:41 -07:00

2 Commits